Storage and file-sharing vendor Dropbox made a huge cock-up during last weekend's upgrade leaving all of its user accounts unlocked. Encryption is not performed by the cloud provider's client, meaning that all customer information was there for the taking on Sunday between 1.54pm and 5.46pm. Dropbox issued no official comment …
Another massive win for the cloud...
Security in other peoples' hands - what could go wrong?
It might cost slightly more and not be as well polished, but SpiderOak does at least ensure that things like this can't happen to your data (assuming SO aren't lying, of course).
Agree about the interfaces, but SpiderOak is actually half the price of Dropbox - $10/month per 100gb vs $20/month per 100gb for Dropbox.
... canceled. They've been rather too cavalier of late and rather too full of their own importance.
They've been full of their own importance?
why cancel - encrypt
If they got access to my account then they could have downloaded an encrypted truecrypt file
"This should never have happened. We are scrutinising our controls and we will be implementing additional safeguards to prevent this from happening again…"
You mean testing changes before you implement them ?
Intriguing. I wonder why nobody has thought of this before !
Oh they probably tested
Yeah, they probably tested alright. On the live system instead of dev or tst instances.
All credibility is lost, for how long?
"affected less than 1%..."
I recently got fobbed off by Royal Mail with the same line "less than 1% of our customers have problems with redirections"...
THAT IS FOR YOUR SHAREHOLDERS!!! If as a user I am in that 1%, then it 100% affects me.... you muppets.
It isn't for their shareholders. They're not even a publicly listed company. You are not a shareholder. You're a user of a free service.
Whats free, posting costs stamps, and redirection costs a fee depending on how long you redirect for.
Isn't this their third security fubar in as many months?
Typical security breach spin
Less than one percent. So that's perfectly alright then. Sounds so much better than 250,000.
I'm right not to have trusted them
I've used Dropbox for a few years and love the free service, but I have never trusted them enough to put my most private and important files into my dropbox. It's tempting to use it as an off-site backup of critical files (in case you house burns down or a burglar steals your PC and backup DVDs) but I don't totally trust the competence of these services where encryption is not done at the client and the customer doesn't exclusively hold the key.
Communication is critical if there's a problem. Failing to talk to customers quickly enough always ends with angry customers. Yeah, I know it's a free service for most people. Glad I didn't upgrade.
2.5Gb backup space for your pc?
and as far as i know, the upgrades are automatic - you don't get to choose when it happens?
Re: you don't get to choose when it happens?
Unacceptable, but typical... Cloud providers who offer free services or even cheap budget services statistically WILL screw up at some point.
The important thing is for users to be aware of this and not treat the cloud as secure storage for sensitive data. Honestly anyone who trusts dropbox, mobileme, box.net or any other such service who their sensitive data is a fool...
On the other hand if people managed to access some photos that I wanted to share with my mum, or an mp3 that I wanted to sync to my phone, no big deal. And that's the kind of thing these services are only good for really.
Paris, because only she would trust her private data to the cloud e.g. her sex tapes ;-)
Dropbox should include client-side encryption.
Sugarsync, Wuala, SpiderOak are all viable alternatives, some (all?) of which properly encrypt user data. There is no reason for a service as popular as Dropbox to protect its customers by implementing client-side encryption. If they did, this would not have been an issue.
Less than 1%
1% is a dimensionless number and is utterly worthless and meaningless. Being *nearly* right isn't ever *good enough*.
If I wrote code that was only 99% accurate then it would, to me and my customers, be completely useless.
Similarly, if a typist is only 99% accurate in her work, she'll soon get fired.
The devil is in the detail, not the stats.
1% of what?
If 99% of the programs I write compile and work correctly the first time, that's pretty good. If my typist has a 1% chance of making a mistake on any given day, that's outstanding. If my engine blows up once every 10 million rotations, that's still better than six-sigma performance.
Check your context before you start spouting nonsense.
If you intended your engine example to also be an example of good performance, then it is way out. 10 million rotations of an engine = 85 hours (assuming a very conservative average 2000 RPM), which for a 1 hour a day commuter would be a shade over 4 months. In any case, six sigma relates to defect-free products and has nothing to do with expected failure rate.
At say 2500rpm ten million rotations/revolutions only sounds like a month or two's normal driving...
Going somewhere else
Given it's a free service, exactly what sort of threat is 'well, I'll just have to take my business elsewhere!' going to be? Pretty much sod all, I'd have thought, unless like 40% of their user base does it, which probably isn't going to happen.
And here we we why the penetration of "Free and Open" software, such as Open Office./Office Libre have such corporate pushback.
No-one wants to be standing on the CEO's carpet saying "well, what do you expect, It's *free*".
I keep telling people that this is not an excuse and not an explanation, but I keep hearing it from people who don't understand the negative payload of that viewpoint in the long run.
Either it's a free alternative, or it's just free. That should be clear when the service is offered. Don't act surprised when people don't want to use "Just Free" instead of the Big Boy alternatives, even if they cost money up front.
The issue isn't that the accounts were thrown open to anyone who cared to ask to come in for a read (well, it is but that apparently is beyond the "talents" of the people working at this mickey mouse operation), it's that the owners of those now compromised accounts were kept out of the information loop once the problem was discovered.
Clearly, then, it matters from *someone's* point of view that this not get about, and the only reason for that - given that the EULA undoubtedly offers no suggestion that security will be a given - must be that Dropbox do *NOT* want their customers flying the coop.
Any miscreants could have got hold of a list of my son's choir practice dates and a complete database of all my passwords.
Fortunately, one of these was encrypted.
The lack of client-side encryption is precisely why I don't trust Dropbox with anything sensitive. I also have a full backup of most of my family's data (>1.5TB) on Crashplan's servers. Crashplan (which, BTW, I strongly recommend) implements client-side encryption with the option of a user generated key.
One of these companies got my money, the other didn't. Guess which was which?
Why would you put sensitive stuff on a thing like dropbox anyway?
I use dropbox but would never entertain dropping anything of any importance or sensitivity in there. That just seemed like asking for trouble. I'm just waiting for the BBC report about some civil servant who's been sharing confidential excel spreadsheets with colleagues via drop box. It'll be the new "USB-stick-lost-on-a-train" story template.
However given this latest performance I'm ditching it. Who knows what other little "flaw" is awaiting users such as whole machine pwning through some undocumented backdoor they've been asked to secretly add by the security services.
That's me grabbing my tin foil hat and jacket.
no there wont.
because 'dropbox' is blocked from here ;)
The the article author
Please look up the meaning of FUBAR and use it correctly.
While not normally a grammar/spelling Nazi, this use of FUBAR is just ignorant, and not entertaining.
Trusting the 'cloud' is foolish and this is just one example of that foolishness.
Nice to know you've read the Jargon File
We all know FUBAR is short for f*cked up beyond all recognition. However many would argue that that is exactly the situation at Dropbox
I had just signed up and started using Dropbox. I didn't know anything about this. Now I'm worried about whether I should continue using it or not.
For a company that's handling millions of peoples files, how could they allow such a huge security problem to slip through?
For those saying "encrypt your files before uploading to dropbox" - that's easy to say but slightly impractical and difficult to actually do.
Captain Obvious here....
Someone explain to me for as popular as Dropbox is, why the HELL don't they force encryption on the client side BEFORE uploading.
Oh wait, I know why. So they can TURN OVER your stuff to the authorities!
First they admit their staff can access our files (but won't because the rules say not... honest) and now they open password-free access to my data for a night. I'm off...
...Mine's the one with the Spideroak logo on the pocket.
Simple solution is to use..
USB drives... Some of them come with decent backup software. Use two, alternate regularly and you have a good home backup.
I dropped Dropbox...
a few weeks ago when I discovered that they had changed "can't access user data" to "not permitted to access user data".
I went to Wuala which uses client side encryption. Not quite a classy on the client software user interface but it works, is cheaper and I'm much more comfortable about its security.
It can happen to the best of us!
Dropbox is stil good product and with cloudHQ you can even synchronize all you Dropbox files with Google Docs, edit Dropbox files inside a Google Docs interface, etc...
I don't have this problem because...
...for my PC backups I use Mozy which is owned by EMC, who also own RSA... who better to trust with your data?
Encrypted or not...
"If they got access to my account then they could have downloaded an encrypted truecrypt file"
Encrypted or not I would still rather they did not get 'access' to the file at all.
I really like Dropbox for various reasons (great Mac/Linux support, seamless mirroring of files, multiple backups of important stuff, etc.), but have always used a Truecrypt container for anything sensitive - just as well, it would seem.
Think it's time I looked seriously at an EncFS folder in my Dropbox - I'd rather not go to a competing service, though I'll be considering it seriously if this carries on (Wuala looks interesting).
Just received an invite from big brother to join DB
as I've shunned FB invites past. ( adjusts tinfoil hat jacket pants and boots ) Sent him links here and a bunch of attached photos by return. Ain't SMTP grand ! Note to self - use it more.
Hi Pete !
You just have to accept that ANY data you store off site on a 3rd party service may be exposed to the entire web.
Once you have accepted that then decide what data you feel comfortable with that the world and his wife plus dog & goldfish can possibly have access to.
the thing is, for some people you need data storing off site and it has to be secure. As a photographer, I have a massive archive of photographs that includes the very fist photographs I ever took. the negatives long since lost. I need this to be safe and at no risk of loss. My sister is also a photographer and needs a very safe off-site backup.. we decided the best way is to run identical servers and at the end of each day my data is backed up on her servers and her data is backed up on my servers via VPN tunnelling. both of our servers have plenty of levels of redundancy...
if you want secure data, don't trust anyone but yourself with that security...
I use dropbox, its a very convenient way to share data between my mobile phone and my pc, but i wouldn't use it for anything that i consider to be confidential.
I would also imagine out of the 1% or 250,000 users that its only a very small % of those that actually have data that needs to be uber secure and when you consider how many of those actually had data accessed then your probably looking at a handful... and shame on them for using a web based service for sensitive data and not encrypting it first.... and that goes for the rest of the people complaining about data exposure....